The US government is using eye scans and facial recognition technology for the first time to verify the identities of foreigners leaving the country on foot — a trial move aimed at closing a long-standing security gap, officials announced. Before now, foreigners who left the country were rarely checked by U.S. authorities as they walked into Mexico or Canada through ports of entry. The checkout system that launched Feb. 11 at a busy San Diego border crossing with Mexico aims to ensure those who enter the country leave when their visas expire and identify those who violate that. Up to half of people in the U.S. illegally are believed to have overstayed their visas. Authorities are using the trial runs to determine which technology is the fastest, most accurate and least intrusive in screening people coming and going at all land crossings along the 3145-kilometre border with Mexico. Final results are expected this summer, with the goal of expanding the checks to all land, air and sea ports. Federal officials say they will not share or retain the data collected in the trial runs, but it is not clear how the information will be used if the program is adopted permanently. [Source]
CA – OIPC SK Unable to Determine if Employee Access to Individual’s Personal Information Was for Legitimate Purposes
The Saskatchewan IPC investigated a complaint alleging improper disclosure of personal information by an employee of Saskatchewan Government Insurance. The employee conducted a specific license plate search on a vehicle belonging to the individual; the individual argues that she has a contentious relationship with the employee, however the search was a typical part of the employee’s duties. The government agency must evaluate solutions to determine whether employee access is for legitimate business purposes. [Investigation Report 189-2015 – Saskatchewan Government Insurance]
CA – OIPC AB Upholds Educational Institution’s Disclosure of Student’s PI in the Course of a Conflict Resolution Process
This OIPC AB order investigated the alleged unlawful collection and disclosure of a student’s personal information by Bow Valley College pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. An academic official reasonably communicated PI about one student in emails to 2 supervisors, to ensure that the students did not have contact with one another and to decide if further disciplinary action might be necessary; the student’s PI was secure because email messages remain only within the internal computer network (monitored for security threats, viruses and unauthorized access) and employees’ email accounts are password protected. [Order F2016-01 – Bow Valley College]
Air carriers should be allowed to share information about unruly passengers to help keep the skies safer, Canada’s largest airline says. A carrier can ban people with a history of disruptive behaviour from taking further flights with that airline, Air Canada notes in a submission to the federal government. But legislation does not permit airlines to exchange information about passengers, even when they believe them to be a safety risk to others. In the submission to a federal review of the Canada Transportation Act, Air Canada says safety “should always be first and foremost.” A report flowing from the review — likely to include some recommendations about air safety — is expected to be made public in coming weeks. The federal privacy commissioner’s office said it was unaware of Air Canada’s sharing proposal, had not studied the issue and could provide no comment at this time. [The Canadian Press]
Nymity announced its newest privacy management tool, the Nymity Planner. The “activity based” Nymity Planner “helps privacy offices operationalize compliance, document evidence and resources, delegate accountability, and ‘plan’ privacy management throughout the organization,” the report states. It also includes a GDPR add-on, so companies can consider GDPR compliance as they work to increase privacy protections in their organization. Nymity also has plans to include a Privacy Shield add-on. “The solution will prove to be highly valuable for those privacy officers who are looking to embed, manage, and report on structured privacy management across their organization,” said Nymity’s Constantine Karbaliotis, [GlobeNewswire]
On February 10, 2016, Lynne Perrault and Dana-Lynn Wood of the CRTC provided the latest in what is becoming a series of CASL briefings, as part of an “on-going dialogue” with industry. The CRTC now has a year and a half of enforcement experience under its belt for the Commercial Electronic Messages (CEMs) provisions of CASL, so this presentation focused on patterns and issues that have emerged in that period, and some guidance in response to those issues, including complaint statistics, priorities, and enforcement and other compliance issues. [Canadian Tech Law Blog] See also: [If you hate telemarketers, you’ll love this robot designed to waste their time]
A nationwide survey from Office of the National Coordinator for Health IT conducted between 2012 and 2014 indicates patients are growing more comfortable with electronic medical records and support data-sharing, though a summary from the agency notes that the survey took place before several major healthcare data breaches in 2015. Preserving patient trust is an essential part of establishing an interoperable health IT infrastructure. A study from the University of Wisconsin-Milwaukee and Dartmouth College based on the 2012 Health Information National Trends Survey found that 13% of respondents reported having withheld information from their provider because of privacy and security concerns. Privacy concerns can “crash” big data initiatives before they become useful, while the key to success lies in finding the right balance, experts said at a Princeton University event in April 2014. ONC data brief [FierceHealthIT]
A debate pitting the government against tech companies has now come to a showdown after Apple CEO Tim Cook announced the company will not comply with a federal court order that it help the FBI unlock the iPhone of one of the San Bernardino shooters. In a win for the government, Magistrate Judge Sheri Pym ordered Apple to provide technical assistance to disable the phone’s password-wipe function — after 10 incorrect password attempts, the phone erases its data — so that authorities could “brute force” the phone’s password. Hours later, Cook announced the company would fight the order. In a message to Apple customers, the company wrote, “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.” [The New York Times] See also: [Can the FBI Force Apple to Write Software to Weaken Its Software? ] [Why Apple Is Right to Challenge an Order to Help the F.B.I.] [Apple’s Line in the Sand Was Over a Year in the Making] [Who does Apple think it is? ] [Apple Said to Get More Time to Fight Order to Unlock IPhone ] [Why you should side with Apple, not the FBI, in the San Bernardino iPhone case ] [Here’s What The FBI Actually Asked Apple To Do It’s more complicated than it seems.] [No, Apple Has Not Unlocked 70 iPhones For Law Enforcement ] [Apple vs. The FBI: Questions Not Asked ] [Apple vs. the FBI: Facebook, Twitter, Google, John McAfee and more are taking sides ] [Apple backdoor court order being watched in Canada] [Read Apple’s unprecedented letter to customers about security] [Tech Reactions on Apple Highlight Issues with Government Requests] and finally: [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 – Order Compelling Apple Inc. to Assist Agents in Search – United States District Court For The Central District Of California
In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 WP enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:
- Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
- An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
- Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.
These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. [IAPP] [Article 29 WP – Statement on the 2016 Action Plan for the Implementation of the GDPR Work Programme | Action Plan]
The UK ICO has launched a self-assessment tool to help small and medium organisations assess compliance with the Data Protection Act. The tool outlines obligations for registration of personal data processing, identification of individuals responsible for development, implementation and monitoring of data protection and information security policies, training of staff and disposal of personal data held; security measures should be established for effective malware defences, logging and monitoring of user and system activity, and detection of unauthorised access or anomalous use. [ICO UK – ICO Launches New Data Protection Self Assessment Tool for SMEs]
- The UK Intelligence and Security Committee says the Investigatory Powers Bill lacks clarity and transparency, and it recommends legislators work to address with greater clarity the issues of “equipment interference, bulk personal datasets and communications data.”
- Privacy advocates and members of Parliament have taken umbrage with a draft Dutch legislation that expands police hacking ability.
- Attorney Maja Smoltczyk has been elected as Berlin’s new Commissioner for Data Protection and Freedom of Information, replacing Alexander Dix.
Over the course of the last four years, the personal records of more than 49 million Californians were put at risk, according to a new data breach report from California Attorney General Kamala Harris. Between 2012 and 2015 there were 657 reported breaches, and three out of five state residents were victims of a data breach in just 2015 alone. The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches. The report articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security. The report also includes recommendations for businesses to better protect personal data and maintain “reasonable security.” [Source] [California Data Breach Report February 2016] [California Reports 49 Million Records Breached in Four Years]
The Supreme Court of Canada has agreed to hear Google’s appeal of a worldwide injunction which critics warn could turn B.C. into a destination for ‘censorship tourism’. The tech giant is challenging a B.C. Supreme Court ruling made in relation to a Burnaby-based company’s bid to stop another firm from profiting from the sales of stolen technology. Google was a third party in the litigation, dragged into the case because Datalink relies on web search engines to attract potential customers. Google voluntarily removed 345 links from search results in Canada. But Equustek accused Datalink of playing ‘Whack-A-Mole’ by going international with its listings. Hence the worldwide injunction in 2014 from B.C. Supreme Court Justice Lauri Ann Fenlon. “The courts must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet,” Fenlon wrote. “That (injunction) is necessary … to ensure that the defendants cannot continue to flout the court’s orders.” The ruling, which was upheld by the B.C. Court of Appeal, made headlines around the world. It’s one of a growing body of legal decisions struggling to balance rights and responsibilities of technology companies operating across global boundaries.
In agreeing to hear the case, Canada’s highest court defined those questions as follows:
- “Under what circumstances may a court order a search engine to block search results, having regard to the interest in access to information and freedom of expression, and what limits (either geographic or temporal) must be imposed on those orders?”
- “Do Canadian courts have the authority to block search results outside of Canada’s borders?”
- “Under what circumstances, if any, is a litigant entitled to an interlocutory injunction against a non-party that is not alleged to have done anything wrong? [CBC] [Canadian courts wade into free-speech battle with worldwide injunction against Google]
The New Zealand privacy commissioner revealed that government agencies, including Inland Revenue, Police and Ministry of Social Development made nearly 12,000 requests for citizens’ personal information to only 10 companies from August to October 2015. This information was revealed as part of an Office of the Privacy Commissioner trial transparency program. The OPC further discovered that more than 1,000 information requests were incorrectly labelled as being made under the Privacy Act, which provides no mechanism for government agencies to make requests for personal information. The 10 companies voluntarily complied with the information requests approximately 96 percent of the time, which has left some lawyers and privacy advocates concerned that agencies were misleading companies by using clauses of the Privacy Act to compel sharing of personal information. [NZ Herald]
The Information and Privacy Commissioner in Ontario reviewed a decision by the City of Oshawa to deny access to records requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Although the councillor is not an employee of the public body (elected members of a municipal council or not agents or employees of municipal corporations), the record is under the control of the public body; the contents of the record relate to a departmental matter and the public body could reasonably expect to obtain a copy of the record upon request. [IPC ON – Order Mo-3281 – The Corporation of the City of Oshawa]
The Department of Health and Human Services’ Office for Civil Rights debuted new scenario-based guidance to help health care providers better understand how to protect patient data and comply with HIPAA on mobile devices. Privacy advocates are pleased. “This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not — that is, whether or not they are HIPAA-defined business associates,” said The Marblehead Group. The guidance is next in the agency’s “cyber-awareness initiative,” with a manual on HIPAA and cloud computing forthcoming, the report adds. [GovInfoSecurity]
A bill proposing to double the fines for violations of Ontario’s Personal Health Information Protection Act was a subject of debate at Queen’s Park in Toronto. Bill 119, the Health Information Protection Act, was tabled Sept. 16 by Liberal Health Minister Eric Hoskins. Among other things, Bill 119, if passed into law, would double the maximum fines for offences, under PHIPA, from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations,” said Indira Naidoo-Harris Liberal MPP for Halton and parliamentary assistant to Hoskins, at Queen’s Park Tuesday. Other changes proposed in Bill 119 “include making it mandatory to report privacy breaches as defined in regulation.” [Canadian Underwriter]
500 Saskatchewan residents were invited to participate in a new pilot program offered by eHealth. The pilot allows residents to view their personal health information online through a secure website. So far, 232 residents have created accounts. The Citizen Health Information Portal (CHIP) pilot will include up to 1,000 participants from across the province. Throughout the six-month trial period, participants can view their personal lab results, immunization history, 25 months of prescription history and hospital visits from anywhere in the world. Participants can add their personal history to the record, including information about allergies and surgeries and medication reminders. Parents can access their children’s health-care information, and travellers can print their health information and take it with them on holidays. [Source] [Saskatchewan patient access to online health records requires big focus on security] [Debate continues on Ontario health privacy breach law]
Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the L.A. Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million) While the organization is dealing with the attack, its network is offline and “staff are struggling to deal with the loss of email and access to some patient data.” Some patients have also been transferred to other hospitals because of the attack, and registrations and medical records are currently being logged on paper. Meanwhile, a new study by the Cloud Security Alliance and Skyhigh has found that cybersecurity insurance makes companies more likely to pay in ransomware attacks. [CSO Online] [ZDNet] [ComputerWorld] [BBC] UPDATE: [LA Hospital Pays Hackers Nearly $17,000 To Restore Computer Network]
What does Google do with the personal information it collects from children who use Google products at school? Google provided some answers in a seven-page letter to Sen. Al Franken (D-Minn.), the ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law. Google does not use K-12 students’ personal information to serve targeted advertisements, but Google does track data from students for other reasons, including developing and improving Google products. Such tracking happens when students are signed into their Google Apps for Education account but are using certain Google services — such as Search, YouTube, Blogger and Maps — that are considered outside Google’s core educational offerings. Thousands of K-12 schools and universities — and more than 30 million students and teachers — use Google’s Apps for Education, which the company provides to schools free of charge. Franken said that Google’s response was “thorough,” but said he will seek further clarification from Google about some of its privacy policies regarding student data. UC Berkeley students sue Google, alleging their emails were illegally scanned [The Washington Post]
A new survey out of the U.S. identifies a cloud computing spending pattern – 90% of respondents say their companies plan to increase or maintain related budgets – that signals a growth opportunity for providers. Cloud service providers are advised to target opportunity in enterprise market, Washington, D.C.-based B2B research firm Clutch suggested in releasing its 2016 Enterprise Cloud Computing Survey last week. [Canadian Underwriter] See also: [Privacy, power concerns drive Canadian data center growth]
The Ottawa Police Service denied a group’s request to have full disclosure in reviewing sexual assault cases, citing privacy concerns as the main reason. Scassa, a law professor and member of the external advisory committee of the Office of the Privacy Commissioner of Canada, said the (external audit) model could be adopted in Ottawa if the advocates who review cases sign confidentiality agreements. The group that has been lobbying the Ottawa police to adopt the model said they would be willing to do that. “There’s nothing in Ontario privacy law that stops the police here from doing the same thing,” said Scassa. “I think there is a great tendency to use privacy as an excuse for not doing things, or for government institutions to use privacy as an excuse for not doing things they don’t want to do.” [MetroNews]
The head of a St. Catharines social agency says more missing adults in Ontario could be found if government legislation did not prohibit sharing personal information with family members. “They have rights and responsibilities within the Mental Health Act that precludes us from going and taking them and forcing them into a situation that they’re not comfortable with.” Souter says it is important to respect the privacy of all people, but rules around confidentiality often put an individual at odds with his or her family. [CBC] [Ontario man missing 30 years suddenly remembers own identity] SEE ALSO: [B.C. privacy laws slow efforts to find, compensate children of missing women]
Delinquent parkers beware: it’s going to get a lot harder to dodge a parking ticket if you overstay your welcome in Waterloo’s free parking zones. A new license plate recognition vehicle will begin patrolling the streets in March. The vehicle will use specialized cameras to scan licence plates, capture the GPS coordinates of the vehicle and capture a before and after image of the vehicle’s wheels. It’s an initiative the city has been working on since 2011, said Waterloo’s manager of compliance and standards. Mulhern says part of why it took five years to get the program off the ground was the city’s dedication to ensuring all possible privacy concerns had been addressed. He said the city worked with the privacy commissioner to make sure the system was set up correctly and that data would be stored securely and for no longer than necessary. Labouring over those kinds of details seems to have paid off. When contacted by the CBC, Ontario Civil Liberties Association executive director Joseph Hickey said it appeared the city had addressed privacy concerns, and “therefore this is a minor issue for us.” The city plans to hold an open house Thursday at RIM Park from 12 to 8 p.m. for the public to see the new parking control system and ask questions. [CBC]
EY has now released a report on privacy trends in 2016, called “Can privacy really be protected anymore?” Of those surveyed, nearly half said they were concerned with having a clear picture of where personal information is stored outside the organization’s systems and services. Additionally, nearly 40% expressed concern that there are not enough people to support their privacy program. “As the onus of accountability shifts from regulators to organizations,” the report states, “organizations need to take heed of where they are in terms of their privacy maturity and what they need to do to make privacy protection part of everything in an organization.” [Source]
US – Tech Company Settles FTC Charges for Installation of Apps Without Consumer Knowledge or Consent
General Workings Inc. entered into a settlement agreement with FTC for alleged violations of section 5(a) of the FTC Act. The company replaced a popular app with its own software program that automatically approved default permissions requests associated with apps that were then installed on consumers’ desktops and mobile devices; the company must delete all consumer personal information in its possession, custody or control, inform consumers of the types of information that will be accessed and display any permissions notice or approval requests prior to installation of the app. [FTC Settlement Agreement with General Workings Inc and Ali Moiz and Murtaza Hussain – File 152-3159] [Press Release] [FTC Complaint]
The University of Maryland Francis King Carey School of Law’s Danielle Keats Citron argues that state attorneys general are the unsung heroes of developing privacy law in her new research that has been posted to the Social Science Research Network, entitled “Privacy Enforcement Pioneers: The Role of State Attorneys General in the Development of Privacy Law.” In it, she writes, “Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals,” adding, “Crucial agents of regulatory change, however, have been ignored: the state attorneys general.” According to the SSRN abstract, “this article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.” [Full Story]
Seven cybersecurity firms banded together to create the Coalition for Cybersecurity Policy and Law, a group committed to developing an online privacy framework with legislators. Cisco, Intel, Arbor Networks, Microsoft, Oracle, Rapid7 and Symantec are the organizations represented in the coalition, which was “founded on three major principles: stimulating the cybersecurity marketplace; encouraging cybersecurity innovation,” and encouraging other companies to embrace cybersecurity from the ground up. “The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Venable’s Ari Schwartz, who serves as the coalition’s coordinator. [FedScoop]
An unnamed judge recently spent time at the Pineglades Naturist Club in Rolleston where he was photographed lounging and playing games in the nude. The club had posted photos of the naked judge online for promotional purposes. However, the photos were removed from the club’s website after the newspaper made inquiries into them. The Guidelines for Judicial Conduct warn that a judge attracts more attention and scrutiny than most members of the community, so they should accept some restrictions on conduct and activities. The judge is unlikely to be punished though as there are no disciplinary mechanisms for enforcing the guidelines. [The New Zealand Herald]
This week, the Federal government took the first steps toward implementation of the Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act. The DHS Federal Register notice was published this morning here. As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.
- For non-Federal (mostly private sector) entities: DHS and DOJ jointly released guidance to private companies and other non-Federal entities designed to promote sharing of cyber threat indicators and defensive measures from companies to the Federal government. This includes guidance regarding instances in which personal information would (or would not) be necessary to describe a cyber threat, as well as categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat. The document also sets forth the sharing mechanisms that private companies should use in order to obtain liability protection for providing cyber threat indicators and defensive measures to the Federal government.
- For Federal entities: The Director of National Intelligence, along with the Department of Homeland Security (DHS), the Secretary of Defense, and the Department of Justice (DOJ) released guidance outlining procedures for the sharing of classified and unclassified cyber threat indicators and defensive measures possessed by the Federal government with private companies and other levels of government. The release stressed that existing sharing mechanisms and programs are “dynamic and are expected to grow or evolve over time,” and that some programs “may be discontinued” and replaced by new mechanisms.
- Interim procedures: DHS and DOJ also set forth interim procedures related to the receipt of cyber threat indicators and defensive measures by the Federal government. This document sets forth the processes for Federal agency receipt, handling and dissemination of cyber threat indicators and defensive measures, including via the operation of the DHS Automated Indicator Sharing capability also established under the Act.
- Privacy and civil liberties interim guidelines: DHS and DOJ also released interim privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of cyber threat indicators by a Federal agency. The guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats. [Source]
Bitglass’ second annual “Where’s Your Data” study found that within “a few days” of leaking false user data, the information was accessed via the Dark Web in “20 countries and multiple continents.” “In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal,” the report states. The findings are evidence of the need for companies to properly protect their personal information. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.” [ZD Net]
The $15/month Verizon “hum” service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including: boundary alerts, speed alerts, vehicle location, and driving history. [The Consumerist] SEE ALSO: [Marc Garneau: Canada’s Senate To Study Rules Surrounding Driverless Cars]
Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords – or don’t use one at all – opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password. Risk-Based Security chief researcher Carsten Eiram says most of the exposed cameras are operating in the US followed by the UK, Canada, Mexico and Argentina. [The Register]
Privacy advocates continue to criticize the Federal Communications Commission’s proposal for new set-top-box TV guidelines, calling them both “an assault on consumer privacy” and an outlet that lets “privacy scofflaws like Google” obtain greater swaths of user data, the Future of TV Coalition said. While FCC Chairman Tom Wheeler maintains the guidelines would have privacy protections, the advocacy group argues the overreaching consequences are too immense. “The Chairman’s approach creates a gaping hole in consumer privacy where none exists today, and leaves our personal viewing histories at the mercy of vast businesses built almost entirely on mining, exploiting, and profiling our personal data,” the Future of TV Coalition said. [MediaPost] [Lawmakers weigh in on FCC set-top box changes]
The Department of Homeland Security published interim guidelines that illustrate how the agency will collect data under the Cybersecurity Act of 2015. The act-mandated move was an attempt to assuage critics of the legislation, who fear it will conclude with even more citizen data collected by the agency. “We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.” The agency has until June to complete a more formal privacy guideline. [The Hill]
- After quickly passing through the House and Senate, Congressional supporters of the Judicial Redress Act expect President Obama to sign it into law. The bill would allow EU netizens to contend U.S. misuse of their data, the report states.
- Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, have introduced the ENCRYPT Act of 2016, or the Ensuring National Constitutional Rights of Your Private Telecommunications Act, which would override several state laws attempting to weaken encryption in electronic communication.
- A Utah bill that would amend the state’s criminal code to include so-called doxing — the process of leaking someone’s personally identifiable information online against their consent — but, critics fear the bill’s broad language would stifle free speech.
- Rep. Hank Johnson, D-Ga., has introduced a pair of bills that would require consent for app developers to collect consumer data and require data brokers to offer access, correction and opt-out tools.
- Legislatures in California and New York will soon tackle bills aiming to loosen encryption on cellphones in order to allow law enforcement to access data helpful to solving criminal cases.
- The ACLU and the Tenth Amendment Center have teamed up to write model legislation protecting student data.
- The Wyoming Senate offer initial support to a student social media bill.
- The Florida Senate passed a bill to allow residents to pass on their digital assets upon their death or inability to handle them. The bill now heads to the House.
US – Bosses Tap Outside Firms to Predict Which Workers Might Get Sick
In an attempt to curb the cost expended for health care, companies like Wal-Mart are employing data mining groups to analyze employee information that identifies those with potential health risks. “Companies say the goal is to get employees to improve their own health as a way to cut corporate health care bills,” the report states, but “privacy experts worry that management could obtain workers’ health information, even if by accident, and use it to make workplace decisions.” [Wall Street Journal] [US: Bosses Harness Big Data to Predict Which Workers Might Get Sick]